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(54) lUlethod and apparatus for remotely changing security features of a postage meter 



(57) A value printing system (1) having a printing 
mechanism (33); a device (31 , 32) for moving the print- 
ing mechanism in a first predetermined manner during 
printing to recoid an indication of value on a recording 
medium; and apparatus (8), remote from the printing 
mechanism and the moving device, for effecting the 
moving device (31 , 32) to change the movement of the 
printing mechanism (33) from the first predetermined 
manner to a secorKi different predetermined manner 
during printing by the printing mechanism. In arx>ther 
embodiment, the value printing system includes a print- 
ing module (5) which prints an indication of value on a 
recording medium and apparatus (7) for accounting for 
the incfication of value printed. The accounting appara- 
tus and printing nrxxJule communicate with each other to 
effectuate printing by the printing module. An authoriz- 



ing device (9) is provided for auttx>rizing the authenticity 
of the communication t>etween the accounting appara- 
tus (7) and tiie printing nrxxiule (5) as a prerequisite to 
printing the indication of value on the recording medium, 
the authorizing device including the use of at least one 
secret key. stored in the value printing system Structure 
is provided, renxite from the printing module (5), the 
accounting apparatus (7) and the authorizing device (9). 
for initiating changirig of the at least one secret k^. A 
method may include the steps of sending a code from a 
computer, remotely located from the printing mecha- 
nism, the accounting apparatus and the authorizir^ 
apparatus, to the value printing system (7) and utilizirig 
the code to change the stored secret k^. 
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Description • ---^ - 

This invention relates to value printing systems and 
is appficable to a method and apparatus for remotely 
changng security features of a postage meter. s 

Bectronic postage meters are currently used 
throughout the world. These electronic postage meters 
often use digital printing technology, such as ink jet 
printing, to print a postal indicia on a mailpieca The 
postal indicia serves as evidence that postage has been 10 
paid. In order to drive down the cost of such electronic 
postage meters, inexpensive digital printtieads may be 
i^ed. Such inexpensive digital printheads typically have 
a low nozzle density. If these low cost digital printheacte 
are used however, the printhead may t>e required to is 
make mult9)le passes over the mailpiece in the area 
where the indicia is to be printed in order to produce an 
indicia having a print quality which is acceptable to the 
postal autfiority. For example, in a two pass printing sys- 
tem the printhead wouki produce an indk:ta image dur- so 
rng a first pass. Then, during a subsequent pass of the 
printhead over the same area in whk:h the trvJk:ia was 
previously printed, a complete second irvfida image can 
be formed whk:h is interlaced ( such as t>eing offset by 
one pixel from the first indk:ia)with the first printed indi- 2s 
da image such that the combination of the two indicia 
images produces a higher density indicia image as 
compared to either of the irvf ividual indida images pro- 
duced during tfie first and second printhead passes. 
Thus, the resulting indk^ image is signifk:antly more 30 
defined. However, the incfivkiual printing of two com- 
plete indida, which are offset and interlaced with each 
other, to produce a final indida image preserrts a poten- 
tial security problem in that if someone stacked two 
mailpieces in the postage meter and renrxTved one after 3$ 
the first pass of the printhead, the result woukJ be that 
two mailpieces are produced with each mailpiece hav- 
ing an incfida image printed thereon. The postage 
meter, fxnwever, wouti only have accounted for one 
printed incfida. While the indk:ia printed on each mail- 40 
piece wouU t>e of signifk:antly lower quality tfian the 
desired combined indida image, it is possS)le tfiat each 
of these images coukJ pass through the postal process- 
ing stream without being detected as an invalkl indkaa. 
Accordingly, the postal service woukJ be tosing revenua 45 

In order to overcome this problem, it has been pro- 
posed to only print a portkm of the postage incfida _ 
image during the second pass of tfte printtiead. The 
printed portk>n wouM be interlaced with the incfida 
image produced during the fir^ printhead pass and so 
wouU prcvkie increased density to selected portk>ns of 
the incfida image. The printed portk>n of tfie second 
pass wouU not necessarily be a recognizable incfida in 
and of itself. However, depending on the amount of 
detail that is printed during the second pass, there still ss 
&as^ the possibOity that a mailpiece just having a por- 
tbn of the incfida image could pass through the postal 
stream without being detected as an invafid indkia. 



-Thus, whether or not in practice this potential problem 
will (xxur, it is important to be able to alter the printing 
operatbn of tfie postage nrteter printhead after place- 
ment of these meters with the customer rf the situation 
cfictates tfiat such alteration is warranted. That is, if a 
partkxdar postal authority deddes, subsequent to pro- 
viding postage meters to users, that either of the above 
problems has materiaGzed. it wfll be necessary to mod- 
ify aD of the meters being used to provkie a mae secure 
printing environment It is desirable that such a change 
to the printhead printing operatkxi be accompGshed 
without reqiirir^ the printhead and/or the postage 
nteter to be physkaUy tMought back to ttie met^ manu- 
facturer or the postal servrce. 

An additional potential security issue is also 
present in electronk: postage meters because in many 
of these meters the functionality of the postage meter 
vault and the digital printhead control have been put into 
separate mocfulea Th^ modularizatbn aDows the vault 
and the printhead nxxlules to be independently 
changed in any particular meter, arxJ perrrats the use of 
multiple removable external vaults (such as smartcards) 
to t>e used with a single meter base fiaving the print- 
head module therein. However, since the vault and 
meter are no longer pfiysk^ally secured together, as in 
oMer meters, and th^ communicate with each other 
ciuring each postage transaction via a non-secure com- 
municatior^ link, tampering with the postage meter is 
possit)le via an attack on the non-secure communk;a- 
tkxis link. It has therefore been suggested tfiat a mutual 
authentk;ation procedure take place between the print- 
head module arxJ the printhead vault prior to the post- 
age transaction being autf^orized. A representative 
example of a mutual authenticatfon pr(x:edure is set 
forth in United States Patent No. 4,802,218. Most of the 
known rruitual authenticatfon procedures perform some 
type of encrypted conununication fc>etween the vault and 
the printhead mcxfules which communication is t>ased 
upon the use of an internally stored secret key in con- 
junction with an algorithm. However, in the event tfiat 
the security of the stored secret k^ is compromised, it 
woukf t>e possble for son>eone to print postal indic:ia 
without the proper accounting taking place, aftfxxjgh 
details of tfie algorithm woukJ still have to be obtained to 
make this possble. Accordingly, it is desirable to have 
the ability to cfiversify (change) the seaet key or secret 
keys used by the postage meter during its authentk^a- 
tion procedure in the event tfiat the originally stored 
secr^ keys have been ccxnprom^ed. Moreover, tfie 
atxlity to cfiversify the k^ in a remote manner is also 
needed in order to avokl requiring the user to physk^aDy 
bring the meter to either the meter manufacturer or the 
cognisant postal authority. 

It is an object of the inventfon to provkie a system 
for printing value whk^h can be remotely modified to 
change its printing operatfon for security purposes. 

According to one aspect of the invention, there is 
provkJed a value printing system having a printing 
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mechantsm;^a device for moving 018^01109 mecha- 
nism In a first predetermined manner during printing by 
the printing mechanism to record an indication of value 
on a recording mecfium; and apparatus, remote from the 
printing mecharvsm and the moving device, for effecting 
the moving device to change the nrv3vement of the print- 
ing mechansm from the first predetermined marine to 
a second predetemvned manner different from the first 
predetermined manner during printing by the printing 
mechanism to record the indk;ation of value on the 
recording medium. 

Another ot]ject of tfie invention is to provide a value 
printing system which can remotely change stored keys 
used in authenticating the value printing system. 

According to a further aspect of the invention, there 
is provided a value printing system including a printing 
module which prints an indication of value on a record- 
ing mecfium; apparatus for accounting for the incf cation 
of value printed, the accounting apparatus and printing 
module communicating with each other to effectuate 
printing by the printing module; an authorizing device for 
authorizing the authenticity of the communication 
between the accounting apparatus and the printing 
module as a prerequisite to printing the indication of 
value on tfie recording medium, the authorizing deme 
including the use of at least one secret key stored in the 
value printing system; and structure, remote from the 
printing module and the accounting apparatus and the 
authorizing device, for initiating changing of the at least 
one secret key. 

Stin arKSther object is to provide a method for 
changirtg a secret key stored in the atxyve descrl>ed 
value printing system. This object is met by a method 
including the steps of sending a code from a computer. 
renx>tety located from the printing mechanism, the 
accounting apparatus and the authorizing device, to the 
value printing system; and utilizing the code'to change 
the stored secret key 

The accompanying drawings, which are incorpo- 
rated in and constitute a part of the specification, illus- 
trate a presently preferred embodiment of the invention, 
and together with the general descrptfon given above 
and the detailed description of the preferred embodi- 
ment given t>ek3w, sen^e to explain the prirxaples of the 
invention. 

In the drawings: 

Figure 1 is a schematic electrical block diagram of 
an electronic postage meter according to an 
errtxxiiment of the claimed invention; 
Figure 2 isa postage indicia produced by the post- 
age meter; 

Figure 3 is afkiw chart of an authenticatfon proce- 
dure incorporated in the postage meter; and 
Figure 4 e a meter modification coda 

Figure 1 shows a schematic representation of a 
postage me^er 1 implementing an embocfiment of the 



invention. Postage -meter 1' includes a' base 3 and a w:^-?- -^k* 
printhead module 5. Base 3 includes a first functional 
sut>system referred to as a vault microprocessor 7 and 
a second fuictional subsystem referred to as a base 

5 microprocessor 9. Vaiit microprocessor 7 has software 
and associated memory to perform the accounting func- 
tions of postage meter 1 . That is, vault microprocessor 
7 has the capability to have downloaded therein a pre- 
determined amount of postage funds from a central 

10 computer 6 of a r^note data center 8 via a telephone 
modem 1 0. Such a remote postage m^er charging sys- 
tem is descrfoed in United States Patent No. 4.097,^. 
During each postage transactioa vault microprocessor 
7 checks to see if suff k^ient funds are availabia If suff i- 

15 cient funds are available, vault microprocessor 7 debits 
the amount from a descerxfing reg^er, adds the 
anxHjnt to an ascending register, arxi sends the post- 
age anrxxjnt to the printhead module 5 via the t>ase 
miaoprocessor 9. Base nvcroprocessor 9 ateo sencte 

20 the date of submission data to the printhead nrnxJule 5, 
via line 14, so tfiat a conrplete indicia image can be 
printed. 

Vkutt microprocessor 7 thus manages tfie postage 
funds with the ascending register representing the life- 

25 time amount of postage funds spent the descending 
register representing tfte amount of funds currentiy 
available, and a control sum reg^er showing the run- 
ning total amount of furxis which have been credited to 
the vault mk;roprocessor 7. Additional features of vault 

30 microprocessor 7 which can t>e included are a piece 
counter register, encryption algorithms for generating 
vendor and postal tokens, and software for requiring a 
user to input a personal identification number which 
must t>e verified by the vault microprocessor 7 prior to 

35 its authorizing any vault transaction. Alternatively, the 
verifkatfon of the personal tientifk^tion number couti 
be accomplished by ertfier the t>ase nw^roprocessor 9 or 
the print module microprocessor 41 (cf scussed below). 
Additionalty. and as previously discussed, the postage 

40 meter vault can be charged with additional funds from 
the data center. 

Base microprocessor 9 acts as a message coordi- 
nator in coordinating and assisting in the transfer of 
information afong data line 12 t>etween the vault micro- 

46 processor 7 and the printhead nxxJule 5, as well as 
coordinating various support functions necessary to 
complete the nnetering function. Base microprocessor 9 
interacts with keyboard 11 to transfer user information 
input through k^board keys 11a (such as. postage 

50 amount, date of sut>rnsskxi) to tfm vault mkroproces- 
sor 7. Additionally, base nrucroprocessor 9 sends data to 
a Oquid crystal dBsplay 13 via a driver/controller 15 for 
the purpose of cfisplaying i^er inputs or for prompting 
the user for additional inputs. Moreover, base nticro- 

55 processor 9 provides power and a res^ signal to vault 
microprocessor 7 via respective Gnes 17, 19. Aclock20 
presides date and time information to base miaoproc- 
essor 9. Alternatively, cfock 20 can be eliminated and 
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the clock' function caiv be acoorriplish^^^ - 
microprocessor 9. Base microprocessor 9 also prcvides 
a dodk signal to vault nmcroprocessor 7. 

Postage meter 1 also includes a conventional 
pcwer suppHy 21 which conditions raw A.a voltages s 
from a mil mounted transformer 23 to provide the 
required regulated and unregulated D.C. voltages for 
the postage m^er 1. Vbltages are output via lines 25, 
27. and 29 to a printhead motor 31 , printhead 33 and all 
logic circuits. Motor 31 is used to control the moventent io 
of the printhead 33 relative to the mailpiece upon which 
an indicia image is to be printed. Base microprocessor 
9 controls the supply of power to motor 31 to ensure the 
proper starting arxJ stoppng of printhead 33 movement 
after vault microprocessor 7 autfK>rizes a postage trans- is 
action.' 

Base 3 also includes a motion erKOder 35 that 
senses the mcvement of the printhead motor 31 so that 
the exact position of printhead 33 along a first direction 
of nfKivement can t>e detemruned. Signals from motion 20 
erKOder 35 are sent to printhead nxxlule 5 to coordi- 
nate the energizing of irxTividual printhead elements 
33a in printhead 33 with the positioning of printhead 33. 
Alternatively; motion encoder 35 can be eliminated and 
the pulses applied to stepper motor 31 can be counted 2S 
to determine the location of printhead 33 and to coorcfi- 
nate energizing of printhead elements 33a. AddrtionaOy, 
a second vntitor 32 which is used to move the printhead 
33 in a cfirection perpendicular to the first direction of 
printhead nrravement relative to the position of printhead 30 
33 in the first direction of movement. 

Printhead module 5 includes printhead 33. a print- 
head driver 37, a drawing engine 39 (which can be a 
microprocessor or an AppGcation Specific Integrated 
Circuit (ASIC)), a microprocessor 41 and a non-volatile 35 
memory 43. t^VM 43 has stored therein indicia image 
data which can t>e printed on a mailpiece. Microproces- 
sor 41 receives a print command, the postage anxxint. 
arxJ date of sUk>mission via the base microprocessor 9. 
The postage amount and date of submission are sent 40 
frommiCToprocessor41 to the drawing engine 39 which 
then accesses non-volatile memory 43 to obtain the 
required indicia image data tfierelrom which is stored in 
registers 44 to 44n. The stored image is then dowr>- 
loaded on a column-by column t>as^ tyy the drawing 45 
engine 39 to the printhead driver 37. via column buffers 
45,47 in order to energize individual printhead elements 
33a to print the indicia image on the mailpiece. Theincfi- 
vidual column-by-column generation of the incfida 
image synchronized with movement of printhead 33 so 
until the fuO indicia is produced. Specific details of the 
generation of the indicia image is set forth in U.S. Patent 
number 5,651,103. 

Figure 2 shews an enlarged representative exam- 
ple of a typical postage incficta which can be printed tyy ss 
postage meter 1 for use in the United States. The post- 
age indicia 51 includes a graphical image 53 tndufing 
the 3 stars in the upper left hand comer, the words 



-nJNITED STATES POSTAGP, and the eagle image; an— - - 

indicia identification number 55; a date of submission 
57; the originating zip code 59; the words *maOed from 
zip code' 61, which for the ease of simplicity is Just 
being shown with the worcte 'SPECIMEN SPECIMEN^ 
the postage amount 63; a piece count 65; a check cfigits 
number 67; a vendor I.D. number 69; a vendor token 71 ; 
a postal token 73; and a nujltipass check digit 75. While . 
most of the portions of the incfida image 51 are self 
explanatory, a few require a brief explanation. The ven- 
dor I.D. numt>er identifies the manufacturer of the meter, 
and the vendor token arxJ postal token numbers are 
encrypted numbers whk:h can be used by the manufac- 
turer and post off k:e. respectively, to verify if a valid indi- 
da has been produced. As previously dscussed. the 
postal indida 51 is produced during two irxlivkJual 
passes of printhead 33 along a predetermined length of 
the first (firectfon of nxvement That is. during a first 
pass of the printhead 33 in the "X" direction, a complete 
indicia image is printed. Then, base mkjocontroller 9 
activates nKTtor 31 to shift the printhead 33 in the 
direction. Once the shift has occurred. nfKTtor 36 is deen- 
ergized and during a second pass of printhead 33 in the 
'X* (firection either a second indksa is printed or por- 
tfons of the indicia are printed. The image printed during 
the second pass is interiaced with the first indida image 
resulting in a combined indida image of increased den- 
sity as compared to either of the incfividual in^ges. 
Details of a specific implementation of the two pass 
printing system are discussed in European Patent 
Applk»tk)n nunt>er 0782096. 

The Rgure 2 indk:^ is simply a representative 
exanrf)le and the information contained therein will vary 
from country to country. In the context of this application 
the terms indicia and incfida image are being used to 
include any specif b requirements of any country. 

A benefit of tfie above-described distrftxited post- 
age meter system is that because of the divided func- 
tionality, less expensive mk;roprocessor8 can t>e utilized 
resulting in a lower cost postage meter. Moreover, the 
modularity of the system allows for easy replacement of 
the vault and printing modules in the event of faOure of 
either of these modules. However, as previously cfis- 
a^ed. the use of a distrOxited digital system where 
data is transferred over physically unsecured data lines 
(for exanple. data fines 12. 14) results in the system 
being susceptit)le to having its data intercepted and 
reproduced. If such interception and reproduction is 
accomplished, it is possft)le tfiat printing module 5 couM 
be driven to print an indicia image witfuxit the neces- 
sary accounting taking place. 

In order to overcome the security problem cfis- 
cussed above, a secure electronic link is provided 
t)etween vault mk:roprocessor 7 and print module 
microprocessor 41 . The secure electronic Onk is accom- 
plished through an encryption process which provides 
for a nutual authentication between the printhead mod- 
ule 5 and the vault miaoprocessor 7 prior to authorizing 
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printing of the indicta-lniage, debiting of postage, and 
i^xJates to certain vautt data such as PIN location and 
account nunt>efs. TTie encryption process significantty 
decreases the poss3>Qity of data interception and repro- 
duction. Moreover, in the pr^erred enritxxliment t>ase 
microprocessor 9 acts as a non-secure communication 
channel between the vault miaoprocessor 7 and print 
nxxJule microprocessor 41 . However, the secure linked 
d^cussed atx>ve and deserved in more detail t>elow 
can be appOed between any sut)systems of postage 
meter 1. 

An embodiment of the method is descr3>ed in Fig- 
ure 3. In step SI an operator ent^ a desired postage 
amount for a postage transaction via the keytx>ard 11. 
Upon insertion of the mailpiece into the postage meter 
1 and Hs damping in place by a platen (not shown), 
base miaoprocessor 9 sends a signal to vault micro- 
processor 7 arKJ print module microprocessor 41 
requesting that a session key (SK) be established as 
shown in step S2. In order to estat)lish the session k^, 
vault microprocessor 7 arvi printhead module micro- 
processor 41 each have an identical set of 'M'auttien- 
tication keys (AK) stored in memory, with each 
authentication key having a particular index (1 to M) 
associated therewith. In adcfition, print module micro- 
processor 41 also has a set of numbers ~0 to N'stored 
therein which are used to select a particular one of the 
authentication k^. That is, print nxxiule miaoproces- 
sor 41 is programmed for each postage transaction to 
select one of the set of numbers *0 to N' either on a 
sequential or random basis (step S3). Assunnng for 
exanple that the number 'N' is selected, print module 
microprocessor 41 deterrrnnes the particular authenti- 
cation key index AKI (step S4) utilizing a conventional 
translation function tfiat creates an index within the 
range 1 to M. Since the authentication k^ AKI to AKM 
are stored in a look-up table in the vault microprocessor 
7 arKf print module miaoprocessor 41, the index AKI 
can be associated with a particular key, such as for 
example, AKI (stepS5). It ^ important to note that the 40 
set of numk)ers 0 to N can t>e much larger than the 
nuiTfoer of keys 1 to M. Therefore, the confoination of a 
large set of numbers 0 to N combined with the random 
selection of one of these numbers to aeate the index 
AKI results in a very secure process. 45 

After print module miaoprocessor 41 selects one of 
the numt^ers 0 to N, that number sent to vault micro- 
processor 7 together with a first piece of data VD1 that 
varies with each postage transaction and is stored in 
regpster counter 77 in print module microprocessor 41 so 
(step S6). Upon receipt, the vault miaoprocessor 7. 
which has stored therein an identical authentication key 
look-tp table and the AKI translation function used by 
the print module rriaoprocessor 41, irxJependerrtfy 
uses the selected nurrfoer 0 to N to generate AKI and ss 
identify th e same authentication key AK (step ST) being 
utiGzed by the print module miaoprocessor 41. The 
vault microprocessor 7 also has a register 79 whose 



contents VD2 are variable for each postage transaction 
and are i^ed together with the authentication key AKto 
aeate the session key SK (step S8). That is, a conven- 
tional encryption algorithm is appGed to VD2 and the 
authentication key to produce the session key: 
SK= ENCRYPT{VD2, AK). 

Once vault microprocessor 7 detemtines the ses- 
sion key, it generates a first authentication cert^icate 
(AUC1) (step S9) as foGows: 

AUC1 = ENCRYPT(VD1, SK) 
Sutjsequent to generation of the first authentication cer- 
tificate, vault microprocessor 7 serxis all or part of the 
first authentication certificate and VD2 to the print mod- 
ule microprocessor 41 (step S10). That is, if AUCI ^ for 
example, eig^ bytes of data, it can be sent in total or a 
truncation algorithm can be applied to it to only send a 
predetermined number of bytes of AUC1. The print 
module miaoprocessor 41 . upon receipt of AUCI , inde- 
pend^y det^mines SK (step S1 1) in the same man- 
ner as vault miaoprocessor 7 since print module 
miaoprocessor 41 has stored therein the DES algo- 
rithm, has itself generated AK, and has received VD2 
from vault mrcroprocessor 7. 

Sii>sequent to Hs generation of SK. print module 
miacprocessor 41 generates a secorvi authentication 
certificate: 

AUC2 = ENCRYPT(VD1, SK) 
which shouU be the same as AUCI (step S12). In the 
event ttiat print module miaoprocessor compares 
AUC1 to AUC2 (step SI 3) and th^ are not the same, 
the print module miaoprocessor 41 will initiate cancel- 
lation of the postage transaction (step S14) . On the 
ottier hand, if AUCI and AUC2 are ttie same, print mod- 
ule microprocessor 41 has authenticated tfiat vault 
miaoprocessor 7 is a valid vault It is to be noted that if 
a tmncated portion of AUCI is sent from vault miao- 
processor 7 to print module microprocessor 41. then 
print module microprocessa 41 must apply the same 
truncation algorithm to AUC2 prior to the comparison 
step. 

Sut>sequent to vault miaoprocessor 7 authentica- 
tion, print module miaoprocessor 41 generates a first 
ciphered data certificate "CD1 * where: 
CD1 = ENCRYPT(VD3. SK) 

and VD3 repres&its a variable piece of data within the 
meter 1 such as piece count or date of subm^on. 
which data is made available.to both the vault iniao- 
processor 7 and print module miaoprocessor 41 (step 
S15). Upon generation of CD1, it is sent in whole or in 
part (as (fiscussed in connection with AUCI, AUC2) to 
vault microprocessor 7 (step SI 6). V^tt mk;roproces- 
sor 7 then generates its own C9>hered certificate of data 
•002" by applying ttie encryption algorithm to VD3 and 
the session k^ SK generated by vault miaoprocessor 
7 (step S17). VSault rriaoprocessor 7 then conrpares 
CD1 to CD2 (step S18) and if th^ do not match, vault 
miaoprocessor 7 initiates cancellation of the postage 
transaction (^ep SI 9). In the event that CD1 and CD2 
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are the same; the vauH miaoprocessor-T^ias'authentk * 
cated print module microprocessor 41 and mutua] 
authentication t>etween vault microprocessor 7 and 
print module microprocessor 41 has been completed. 
Subsequentiy, vault microprocessor 7 is prepared to 5 
debit the required postage amount in the accounting 
module. Upon completion of the debit a print command 
is sent to the printhead module 5 to initiate printing of 
the indicia image (step S20). 

The atxyve process provides an extremely secure w 
electrontc link between 8ut>systems because all data 
which is transmitted t>etween the siit>systemss variable 
for each postage transaction. While this does not nec- 
essarily have to be the case, it provides inaeased secu- 
rity by reducing the predictat>ility of the data being is 
transferred. The of the variable data (VD1, VD2. 
VD3) ensures the uniqueness of the ciphered values 
(SK. AUC1. AUC2. GDI. CD2) for each postage trans- 
action. Moreover, the session key. which is required to 
initiate the whole mutual authentication procedure arvi so 
to generate AUC1 . AUC2. GDI and CD2, is never trans- 
mitted between the individual sut>systems thereby guar- 
anteeing the secure knowledge of the session k^ 
among the subsystems. Rnally, if a truncation algorithm 
is used in connection with any or all of the generated 25 
certificates, security is further enhanced since the trurv 
cation algorithm must be known in order to compile the 
postage transaction. 

In view of the foregoing description of an electronk; 
postage meter having a multiple pass printing capatxlity 30 
and a mutual authentication process, and the previously 
discussed potential security issues associated with 
each of these features, it is dear that future changes to 
the security features of the postage meter may be 
required sut>sequent to the postage met^ being placed 35 
in its operating environment With respect to the multi- 
ple pass printing feature of postage meter 1. it is possi- 
t)le to renxnely change postage m^erl from a two pass 
printing scheme to a single pass printing scheme. That 
is. postage meter 1 has within its encoded software in 40 
base microprocessor 41 a tim&out feature that prevents 
postage meter 1 from operating if it does not communi- 
cate with data center 8 within a fixed time period, such 
as for example a four morrth period. Thus, use can be 
made of this forced communk:ation with data center 8 to 45 
change the printing operation of printhead 33. That is. 
when cental computer 6 of data center 8 is in commu- 
nication with postage meter 1 it can. for example, servj 
out a secure one byte or a plurality of bytes print change 
message to base microprocessor 9. via the modem 10. so 
requiring that postage meter 1 change from a two pass 
system to a one pass system Base microprocessa 9 
wouM in tum transfer this print change message to 
printhead miaoprocessor 41. Microprocessor 41 
receives the print change message and interpr^ it via ss 
a software program stored in its ROM 80. Microproces- 
sor 41 then sets a flag stored in its non-volatile memory 
81, which flag identifies whettier a two pass or a one 



pass printing process wiD be utiOzed: Upon identification - 
of the one pass printing requirement, microprocessor 
41 provides this information to ASIC 39 which then only 
drives printhead 33 through its driver 37 to perform the 
first pass of printhead 33 to produce a single indicia 
image and does not exercise the feature of requiring a 
second pass of printhead 33 for producing either a sec- 
: ond complete indicia or a portion thereof either of whk;h 
would be interlaced with the first produced indk^ta dur- 
ing a two pass printing techniqua 

It is important to note that although postage meter 
1 could be set up so that the print change message 
received by microprocessor 41 from data center 8 would 
allow the postage nteter to be repetitively remotely 
switched between a one pass printing system and a two 
pass printing system, it wfll often be desirable to ensure' 
that the change from a two pass printing system to a 
one pass p>rinting system is irreversible. This is acoom- 
plshed in the system descrfoed via the software pro- 
gram stored in ROM 80. That is. the software program 
stored in ROM 80 is only capable of receiving and inter- 
preting a print change message requiring a change 
from a two pass system to a one pass system. In the 
event tfrnt a message is received by microprocessor 41 
requesting a change from a one pass to a two pass sys- 
tem, this message cannot be processed by nrticroproc- 
essor 41. Thus, the process for renrxrtety changing 
printing operation of printhead 33 can be made to 
ensure tfiat the change is irreversOsle. 

While changing from a two pass system to one 
pass system has been discussed in the context of the 
preferred embodiment, it is very dear that the system 
can t>e arranged to change the operation of printhead 
33 so that it can print an indicia in any number of print- 
head passes. Thus, it is foreseeable that this renxrte 
technk)ue for changing the printing operation of print- 
head 33 could also be utilized to increase the nurTt>erof 
passes of printhead 33 to produce a higher density and 
t>etter quafity indk»a image in the event ttiat a postal 
authority required such change in the futura 

The data center 8 can also be used to effectively 
change, for example, the authentication keys (AK) uti- 
lized in the previously described mutual authentication 
procedure in the event tfiat the security of any original 
authentication keys (AK) is compromised. ThiswouMbe 
accomplished by central corrputer 6, of data center 8. 
serxling a secure meter modrfk^ation code to both print- 
head microprocessor 41 and vault rrvcroprocessor 7, 
via t>ase mk^roprocessor 9. Rgure 4 id^rtifies a repre- 
sentative secure meter modification code 83 which 
couM be utilized. As noted, secure meter modfffoation 
code 83 consists of a single byte of information. The first 
three bits (JaO, b1 . t^) are randomly generated by cen- 
tral computer 6. The second three t>its (b3. b4. t>5.) are 
utilized to detenmine whk:h of authentication keys (AK) 
are to be changed. The last two bits (bS. b7.) are utilized 
as the previoi^ discussed print charige message for 
changing the number of passes (a other characteris- 
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tics) -of printheacWa so^that the dversification (chang- 
ing) of authentication keys (AK) and changing of the 
operatian of printhead 33 can be accomplished via the 
sending of the single meter modification code messaga 
In order to complete changing of the authentication keys 
(AK), both microprocessor 41 and vault microprocessor 
7 would have at least one common algorithm stored 
therein which wouki utilize data bits bO, b1. and b2. to 
generate new authentication keys (AK). The use of 
known algorithms for generating keys is well known in 
the art and the details of which are not herein descrft>ed 
as they are not considered essential for an understand- 
ing of the claimed invention. 

In an alternative emtxxliment, a pturafity of com- 
mon algorithms are stored in both vault microprocessor 
7 and microprocessor 41 and a randomly selected one 
of these algorithms is used to change the authentication 
k^ (AK). In this embodiment, the first bit. bO, of meter 
identification code 83 is designated to identify which of 
the stored common algorithms is to be used to create 
new aulhenticatkxi keys (AK). Thus, central conputer 6 
rarxiomly sheets which of the common algorithms are 
utilized. Upon identif k^ation of the algorithm, vault mk:ro- 
processa 7 and print module mk:roprocessor 41 would 
then the data of txtsbS, b4, and t>5 to identify some 
or all of the authentication keys (AK) to change. The 
information in bits b1 and b2 are then used in a known 
manner with the selected algorithm to generate the new 
authentication keys (AK). 

It is important to note that whOe the cfiversif ication of so 
the autherTticatk>n keys (AK) in postage meter 1 was 
used as a representative exarrple of the type of secret 
keys that can be remotely changed, the instant inven- 
tion is not limited to such keys. That is, any keys whk:h 
are used in postage metar 1 for any type of security ss 
application can be diversified utilizing the inventive pro- 
cedure and apparatus set forth herein. Moreover, vault 
microprocessor 7 can either t>e an embedded micro- 
processa within postage meter 1 or couM t>e an exter- 
nal smart card which is inserted into postage meter 1 in. 4o 
a known manner. Additionally, whQe the invention has 
been descrbed in connection with a postage meter, it is 
equally applicat)le to any type of device which dis- 
penses value and requires security. Such additional 
devices could for exarrple, be tax starrp machines. 4s 
ticket vending machines, and lottery machines. 

In tiie abcve<|escr£bed entedtments, the print 
change message and meter modifk»tk>n code 83 sent 
by data center 8 to postage meter 1 were each identified 
as being "secure"; that is. to prevent any unautfiorized so 
att^ation of either tfie print change message or the 
meter modifk»tion code 83. tiiey would both be 
encrypted at the data center. The encryption could, for 
exarrple. be a known technique whk:h utiSzes a set of 
master keys and a known encryption algorithm, which 55 
technique is applied to ttie message at tiie data center. 
The postage meter would also have the same set of 
master keys and the algoritiim so that it can decrypt the 



-message. However.' if ttiemessage or code were inters 
cepted. tiie encryption schme would have to be brok^ 
before any atteratfon of tiie message could poss3)ty 
take place 

Additionany. and in order to ensure that tiie print 
change message and the meter mocfif ication code 83 
have been received and property executed by tiie post- 
age meter 1. an encoded verification message sent t}y 
postage meter 1 must be received by data center 8. The 
verification message would identify the actfon taken in 
response to the received print change message or 
meter modification code 83. If the verifk^ation message 
Is not consistent with the message or code sent by the 
data center or fe not received by tiie data center 8. tiie 
data center 8 will no longer communicate with the post- 
age meter 1 and the postage meter 1 will automaticalty 
disable itself of the fixed time period of the aforemen- 
tioned time-out feature 

In connection with the print change message, the 
printtiead microprocessor 41 receives the message and 
has the master k^ and algoritiim to decrypt the mes- 
sage Printiiead microprocessor 41 also sends the veri- 
f cation message back to data center 8. On tiie other 
hand when a m^er mocfifkatfon code 83 is sent by data 
center 8 to cfiversify the autiientk:ation keys (AK), both 
tiie vault miaoprocessor 7 and ttie printtiead miaoproc- 
essor 41 receive the code and each have the ma^er 
keys and algoritiim to decrypt ttie code. Moreover, in 
this situation the data center must receive a proper ver- 
if k:ation code from both the vault microprocessor 7 and 
printhead microprocessor 41 within the fixed time period 
or else the meter will be disabled. 

Additional advantages and rrxxfifk^ations will readily 
occur to ttiose skilled in ttie art. Therefore, ttie invention 
In its broader aspects is not limited to the specific 
detail, and representative devices, shown and 
descrik>ed herein. Accordingly, various modifk;ations 
may be made without departing from the spirit or scope 
of the general inventive concept as defined by ttie 
appended claims. 

Claims 

1 . A value printing system corrprising: 

a printing mechanism (33); 
means (31. 32) for moving ttie printing mecha- 
nism in a first predetermined manner during 
' printing t}y the printing mechan^ to record an 
irxfication of value on a recording mecfium; and 
means (6. 8). remote from the printing mecha- 
nism (33) and the moving means, for causing 
the moving m^ns (31. 32) to change tiie 
movement of the printing mechanism (33) from 
the first predetemn'ned manner to a second 
predetermined manner different from the first 
predetermined manner during printing t>y the 
printing mechanism to record ttie indication of 
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^ value on the recording mecfium. 



2. A system as recited in Claim 1. further comprising 
mearts (41) for ensuring that at times when the 
renrrate means (6, 8) causes the moving means (31 , 
32) to change the movem^ of the printing med^- 
nism from the first predetermined manner to the 
second predetenraned manner, the moving means 
(31, 32) cannot be subsequently caused by the 
remote means to change the movement of the 
printing mechanism back to the first predetermined 
manner. 

3. A system as recited in Claim 1 or 2. wherein the first 
predetermined manner involves two passes of the 
printing mechanism over a predetermined area on 
tf« recording medium and the second predeter- 
mined manner involves a single pass of the printing 
mechanism over the predetermined area. 

4. A system as recited in any one of the preceding 
dain^ wher^n the indication of value is a postage 
indida 

5. A system as recited in any one of the preceding 
claims, further compr^ng a telephone modem (10) 
and wherein the rerrvne means indudes a data 
center (8) in communication with the nxving means 
(31 , 32) via the telephone modem (10). 

6. A value printing system comprising: 

a printing nrxxJule (5) arranged to print an indi- 
cation of value on a recording medium; 
means (7) for accounting for the indication of 
value printed, the accounting means (7) and 
printing module (5) communicating with each 
other to ^fectuate printing by the printing mod- 
ule (5); 

means (9) for authorizing the authenticity of the 
communication between the accounting means 
(7) and the printing module (5) as a prerequi- 
site to printing the indication of value on the 
recording mecfium, the autfiorizing means 
induding ttie use of at least one secret key 
stored in ih& value printing system (7); and 
means (8). renxrte from the printing nxxlule (5) 
and the accounting means (7) and the author- 
izing means, for initiating dianging of ttie at 
least one secret key; 

wfierein the dianging means indudes a 
data center (8) operable to send a meter modi- 
fication code to the authorizing means to effect 
changing of ttie secret key. the motfifkHtion 
code is encrypted, and botti tfie printing mod- 
ule (5) and the accounting means (7) each 
have the secr^ key and include at le^ one 
common algorittim stored therein, the common 
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■ • algorithm -being usable't4}on'^-receipt«ofvthe^-»?^» 
meter rhocfifkation code by both the printing 
module (5) and ttie accounting means (7) to 
diange the stored seaet key. 

7. A system as recited in daim 6. wherein each of the 
accounting mear« (7) and ttie printing module (5) 
have a pluraDty of common algorittims stored 
ttierein and the data center (8) is operable ran- 
domly to select one of the plurality of algorittims to 
be used in changing ttie seaet key in both ttie 
accounting means (7) and ttie printing module (5) 
and to klentify ttie selected algorittim to ttie 
accounting means (7) and ttie printing module (5) 
via the meter nrxxiifkation coda 

a A system as redted in Claim 6 a 7, wherein ttie 
irKfication of value is a postage indicia. 



20 9. A system as redted in any one of Qaims 6 to 8, 
wherein both ttie printing nxxlule (5) and ttie 
accounting means (7) each have a plurality of 
secret keys smd at least one common algorithm 
stored therein, the common algorittim t>eing usable 
upon recept of ttie meter modif cation code by botti 
ttie printing module (5) and ttie accounting means 
(7) to diange at least a selected one of the pliHBlity 
of secret keya 

ia A system as redted in Oaim 9, wherein the meter 
nrxxfification code indudes first and secorxl por- 
tions, the first portion clentifying the selected algo- 
rittim and data to be used by ttie selected algorithm 
in changing the selected one of the plurality of 
stored seaet keys and ttie second portion kierrtify- 
ing the selected one of the plurality of seaet keys. 
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